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encrypting different portions of a logon paci^et with different 
keys based on the nature of the conmumications link. Nodes 
attached to a particular LAN can have one level of security 
for data transfer within the LAN while data transfers 
between L/VNs on a private network can have a second level 
of security and LANs connected via public networks can 
have a third level of security. The level of security can 
optionally be selected by the user. Data transfers between 
nodes of a network are kept in separate queues to reduce 
queue search times and enhance performance. 
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NETWORK WITH SECURE the user. Data transfers between nodes of a network are kept 

COMMUNICATIONS SESSIONS In separate queues to reduce queue search tiroes and enhance 

performance. 



BRIEF DESCRffnON OF THE DRAWINGS 



BACKGROUND OF THE INVENTION 

1. Technical Field 

The present invention relates to con:^)Uter network sccu- ^p- 1 ^ * diagram showing the connecUoD between 

rity. In particular, it relates to networks which use dynamic applications and the requester in a local system, 

packet headers and multiple levels of packet encryption to FIG. 2 is the diagram of FIG. 1 with a more detailed view 

transfer data to and from a remote server or to and from of the requester. 

another node in the local network. nCS. 3A-B are a flow diagram illustrating data transfa 

2. Background Art between the application and requester of the preferred 
The development of small independent systems such as embodiment 

personal c<Hi^)uters has provided several benefits to users. FIGS. 4A-C are diagrams of the memory layout of packet 

By providing each user with their own processor and data 15 headers used in the preferred embodiment, 

stffl-agc, personal computers provide consistent performance RGS. 5A-B are diagrams showing the memory layout of 

and data security. A cost of these benefits is the inconve- entries in the packet queue. FIG. 5A is the memory layout 

nience which resuUs from the inabiHty to easily access data used far TCP/IP and NetBIOS. FIG. SB is ttie memory 

by other members of an organization. layout used by SMODEM or SRS232 communications 

The use of mainframe systems, and the later develquneot ^ systems, 

of alternative systems such as LANs (Lxjcal Area Networks) FIG. 6 is a diagram of a multi-requester system with a 

and servers reduces the inconvenience of making data single servo*. 

Z"^^^ c^gani^ation. but results in piG. 7 is a diagram iUustrating a single requester attached 

unpredictable performance, and mwe Importantly results m serves ^ 

exposure of sensitive data to unauthorized parties. The ^ ^ , \, ^ . 

transmission of data is commonly done via packet based . ™- * ^ ^ showing a requester (machine A) 

systems which have user ID and passwcffd information in a interconnected with two servers (machines B-C). 

header section. Interception of a packet with header infor- 9 is a diagram illustrating multiple requesters crai- 

mation allows the interceptcr to learn the user ID and nccted to servers via local area networks (LANs) and wide 

password which will in turn allow future penetration of the ^ networks and public tclqihone networks, 

user's system and unauthorized access to the user's data. It HG. 10 is a diagram illustrating multiple requesters 

would be desirable to transmit user identification and pass- connected to servers and server/requester systems. 

WOTd information in a manner which would be Indecipher- FIG. 11 is a diagram illustrating the server used in the 

able to an unauthorized interceptor. prefaicd cmbodlmenL 

Data seoirfty is endangered not only by access by outside FIG. 12 is a diagram illustrating die read/write threads and 

parties such as hackers, industrial spies, etc, but also to packet queues used by &e server of FIG. II. 

inadvertent disclosure of data to unauthorized members ci nOS. 13A-D are diagrams illustrating the packet headers 

the OTganization. For exan^le. data exchange at certain used in the logon pix>cedurc of Ae preferred cmbodimcoL 

!nf±,«lnTTTL?^t^^^ ^ 40 FIG. 13E are diagrams iUustrating the packet headers 

mformatoon be disclosed to the general emp oyee popula- during data transfer Id the prefeLd et^bodimeot 
tion. Likewise, the transmission of personal informatioD 

such as banking codes over networks has exposed indlvidu- DESCRIPnON OF THE PREFERRED 

als using online financial systems to the possibility of EMBODIMENT 

fraudulent access to their funds by third parties. r»_- * j ^ i. ^ ^ • , ^ . ^ 

. ^ r ^ 45 Pnor to a detailed descnption of the figures, a general 

In addiuon to data seam^ the use of networt systems discussion of the operation of the preferred embodiment 

such as LANs has created perfoimanc* probleins due to the follows. A network can take a variety of forms. For example, 

r'^K^^l''** ^^'TJf^'lf '^^^^^ ^ P^<^°^ '^Wcrs communicating via 

f L^^'.'"''^'^?* ''"T/ ^^T^^*^- ,^ modem; it can be a single LAN system within a particular 

would be advant^eous if a system could provide not only ^ ^^^y. ^ ^e a remote server or mainframe system with 

data secunty, but also more consistent performance. communications links to individual terminals or personal 

The prior art has failed to provide network systems which computers; it can be a network of LANs or other servers 

ensure that access to data is restricted to authorized parties each communicating with one another or through one 

while at the same time providing more consistent peif or- another; or it can be any of the foregoing systems which use 

55 not only dedicated conununications lines, but also nondedi- 

QtrvfMAiiv np-rup TNTimATTinM conmumicatlons (i.e. pubUc networks such as the 

SUMMARY OF THE INVBNnON ^^^^^ ^ "firewall" The use of the term firewall 

The present invention solves the foregoing problems by herein refers to the requirement for increased levels of 

providing a system which uses three way password security to avoid the possibility of unauthorized data access 

authentication, encrypting different portions of a logon 60 by parties outside of the organization. Likewise, a machine 

packet with different keys based on the nature of the in the network can act as a client or a server depending on 

communications link. Nodes attached to a particular LAN the nature of the data transfer. 

can have one level of security for data transfa within the In the preferred embodiment, communication between a 

LAN while data transfers between LANs on a private client and a server is as follows. The server waits for 

network can have a second level of security and LANs 65 connection requests from clients on the network. The server 

connected via pubUc networks can have a third level of can be started with one or more supported protocols to 

security. The level of security can optionally be selected by enable support of a variety of client types on the network. 
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For cjumplc, the server protocols can include, among 
others, NetBIOS, TCP/IP, SMODEM and SRS232. AU of 
the foregoing protocols are well known in the art 

When a user on a client machine wishes to initiate a data 
transfer or other function, the client application activates a 
requester to access resources in the network When the 
server receives a request from a client application. It acti- 
vates a thread to process the request. A thread is an execution 
unit of an operating system. Operating systems used for this 
type of system are Microsoft Windows 95 (trademark of 
Microsoft Corporation). Microsoft Windows NT (tradcmaric 
of Microscrft Ccq>oration), IBM OS/2 (trademark of IBM 
Coiporation). These systems may use multiple session pro- 
tocols such as NetBIOS and TCP/IP or single session 
protocols such as SMODEM or SRS232. 

In single session protocols such as SMODEM and 
SRS232, the same thread is used to process the request from 
a client since a serial port can act as a server or client, but 
cannot sinmltancously act as a server and client Multiple 
session protoccds create a new thread, referred to as an 
original thread, and wait for a request from a client. When 
a request is received, the thread is referred to as a server 
processing thread which Is used to process the dicnt logon. 

After the logon is successfully con^leted, the server 
processing thread creates a packet queue and a packet thread 
to receive incoming packets and place (hem in the packet 
queue. The server then waits for packets to anive. On the 
dicnt side, the client creates a session write thread to initiate 
contact with the server. In addition, Ae client creates a 
second thread which is referred to as the session read thread. 
This feread is used to receive packets sent from the server to 
the dient. 

To use resources on the network, users must first logon the 
server to prove Iheir identity. A logon request is sent from the 
client's logon application to the requester on the client 35 
conq>uter. Before logon daU can be exchanged between the 
applications and the requester, a command manager is 
created by the requester to accept application requests. The 
command manager is responsible for housekeeping requests 
within the client computer. 

In the prefenrcd embodiment, the logon procedure uses a 
tfiree way authentication to prevent the password from being 
transferred over the computer and also to allow both the 
client and the server to audienticate each other. In addition, 
the authentication procedure prevents unauthorired pcoetra- 45 
don of the system security by detecting the replaying cf 
packets by third parties. 

The three way authentication system encrypts the very 
first logon packet with different keys for each part of the 
packet as follows. 

The first step takes place at the client conqHilcr as follows. 
l_The client generates a 32 bit random number value 

which is concatenated to a predefined 32 bit constant to 

form a 64 bit value R. 

2— The CRC signature CI of the 64 bit value R and the user 
ID is calculated. This signature value allows detection of 
packet manipulation. 

3— The 64 bit value R is used as a DBS key to encrypt the 
user ID. This makes the user ID look random for each 
logon packet 

4— The client generates a 192 bit key K from the server 
name to encrypt the 64 bit value R. 

5— The client generates a key Ka from the user ID and 
password using a one way hash function such as the 
Secure Hash Standard (SHS) specified in the Federal 
Information Processing Standards Publication 180 (FIPS 
PUB 180). 



40 



6 — ^The dient generates a random number Ra. calculates its 
CRC signature C2, and encrypts them with the signature 
CI using the key Ka, This signature is used to validate the 
key Ka by the server. 

The second 6tq> in the process takes place at the server. 
When the server recdves the first logon packet it decrypts 
the packet as follows. 

1 — The server generates a key K2 from its machine name 
and the SHS to decrypt the packet header for identifica- 
tion. If the packet header does not contain the predefined 
constant, the user is unauthorized. This occurs when an 
unauthorized user tries to access the server over the phone 
line but does not know ttie server name (since the phone 
number is a public record but the saver name is private). 

2 — If the user is authorized, ttie server uses the decrypted 64 
bit value R in the packet header as a key to decrypt the 
user ID. 

3 The server then uses the user ID to search a database for 

an access record. If the access rccOTd cannot be found* the 
user has entered an invalid ID and the session is tcrmi* 
natcd. If the access rec<Hd is found, the server verifies if 
the user is allowed access to network resources at this date 
and time. 

4 jf access date and time are verified, the server retrieves 

an associated one way hashed password Kb from an 
encrypted password file to decrypt the random number Ra 
and the CRC signatures. The password file is encrypted 
with a key Kk which is selected by the system adminis- 
trator at installation. 
5— The random numbers Ra and the CRC signatures arc 
then decrypted. The server calculates the CRC signature 
of the packet header, the user ID and the random number 
Ra. If die calculated signatures match the decrypted 
signatures CI and C2 stored in the packet, and if password 
Ka matches Kb. the server manipulates the client random 
number Ra wifli a |ff edefined formula, generates a random 
number Rb, and encrypts both random numbers Ra and 
Rb widi the password Kb before sending the first logon 
response packet to the client 

The third step in the process takes place at the dicnt 
computer as follows. 

1— lhe client decrypts the first logon response packet 

2— The client manipulates the random number Ra with the 
predefined formula and compares it with the one returned 
from the server. If the numbers n&atch. the dicnt knows 
that it is connected to the correct server, not a fraud server 
fr<Hn which an eavesdropper has captured transmissions 
from the previous logon and is echoing packets back to 
the client conqniter. 

—The dient manipulatesprandom number Rb with another 
predefined fommla and concatenates it with the client's 
initiating datTki-e., die client initial packet sequence 
number, thc^cryption and con^vression mode for the 
session, and the operating system platform ID) to form a 
second logon packet The operating system platform ID is 
useful for sdccting protocols and data formats when a 
particular client or server is communicating with systems 
that may have any one of a variety of operating system 
software programs ruiming. The client would typically 
request enayption and compression mode for the session. 
However, the server may indicate that the particular 
modes requested are not available. 
4— The client then encrypts the second logon packet and 
sends it to the server. 

The fourth step in the process takes place at the server 
con^)uter as follows. 

l_Thc server decrypts the second logon packet 
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session key Ks and an Initialization vector IV in tuI i. - «^ pacjceis. 

preferred eJnbodiment. Ks andT«e ge^^J^il J' auchentication procedure is In the middle 

fonnula specified in kppendi, C of S X9 P lo ^,^J^^?^^P^'^'^*'^''^^rand<mn^ 

standard. ^ or me ansi X9. 17 lo Ra and the CRC signatures. Since the CRC signature C2 of 

4-K5 and IV are sent to the dient along with the saver loLT„^,?"lf" ^ " ""^"^ 
initiating data (ie.. the server initial padtet^t^,^ 21 ' ^^'^'^ authenticate the us* right on 

ntunber. sui^ and/or approvS^in^ ::^".^ teKth?*?^'^'*'" 

pression modes for the session, and the srner ooaaTe i5 h^™!f: ^ . challenge-response fashion is to 

system platfonn ID). opaatmg is help the sovtx defeat the replaying of the logon packet and 

Jl.e dient and server initial padte. sequence numbo. are S^reS^jSg « w:?"'"^ the server and to defeat 
used to detect packet deletion and insertion for dau The IThL ^^n^f \. • . 

exchanged after the logon pnxxdnre The 32-brt random munber in the packet header is used to 

1- Tje^second logon response packet is de«,p.ed by ^ ^S^.T^V?^ ZTZ'^'^ZT^Ty 

2- n»edientenayptsKsandIVwithitsownkeyandsaves ^n^^F^^^^.HT'^^ " '•"""^ 

them in memoi^ for fumre comnSnxS^ ft^ « ZST ^Z.".^'"^"^,!^' • " numb« is 

server. The logon procedure conmletcs . or a call generated by a manual or 

After the log^n prLd^^^^SSly^cted. aD ""TXiotT^ ^ bdng^kcived). 

packet headers are encrypted using the VmsI^^ kT,^ . ? ^ '^'^ ^ fro™ "ser ID 

thelV.Tbepacketheatoi^entSw^toZeJ^^ "^f»^<«^^«' cn^ting a one:way hashed passwo^^ 

from deleting, inserting, modifW „^^^u^^?!*^ „ portability of the database. For example, when a 

packets whi4 may hfOe ^^^eJ wl2^*wt SoA^T*'.'^?'' '"^^ ""^ 

exdunged over communication lines database can be easily transfemd to the new 

For ease of iUustiation, the following symbols can he , ■ T"'' "V*"'"'*' time-consuming to delete 
to illustrate the logon '^"••°*^™>'* um«.tl«na«l users ftom the database than to addiith^^ 

Where: "^"^^ new one. To bcttw protect the valuable inf«- 

Oa client " *« <*«««''ase. a password is required before access 

S=a servff J" ™^<'*'8^e«6fanted. More important, the database can 

E=a symmetric oyptosystem such as DBS iLtf a,'^^?? * Sb can 

K=an encryption key generated from the servff na™ ^.f k fi«tjogon packet and forward the user ID to a 
R=a32 bfrandom^^ui,Sr«Z^S«r^T^^ ^ ^^*«*=^<=^« Se w dim a private network for vaification. 

defined constant ^.^ u an access record is found and the user can access the 

Ka=a 192 hit key one way hashed from the user ID and ^^J^^'l!^^"1!'^^'^'''^'^''^^^''^^^ 
password m luc user lu ano «Be encrypted one-way hashed password Kb to die server Sb 

Ra=a 64 bit random value generated by C chaUenge-response as if the 

f()=ahashftinctionsudias CRCtoS^cuIatethesi«na 4s Sf^^*^»'^'*«^«'fr<»«»««o«l database. Note that the 
^ w calculate the signa- 45 database server Sc encrypts the one-way hashed password 

g( )=a hash function sud. as CRC to calculate the signa- S ^« sr,'!^°^Jf°^^'^"'^'^*" 
tires Sb and Sc before sending it across the private 

Un>=uscrIDs 

Rb=a 64 bit random value generated by S "".1* P° in the prior ait the 

Dc=cUent initial data f^'^ " '** *' receiver. If the secret key is invalid, the 

lV=an initial diaining vector for encryption T"^ T^"'' " P""^^ 

Ks=a session encryption key be received before (he receiver can resyndwonize or 

Ds=se»ver initial data ^ tne receiver might have to use a timeout to resyndironize 

R'a=ha(Ra) " "*«f' ., ^ , 

R'b=hb(Rb) *^^y-*=lo«o'»P«>tocolafthcpreferredembodimemls 

The logon procedure may be listed as- . * cUent/server distributed environment, 

1. C to S: EK(R)^«Ka(RaJ(Rfl,g(R;u]D)>♦.ER(UID) a^^w ' T protocol aUows both dient »,d server to 

2. S to C: EKb(R'aJlb) )t»^ua}) authenucate eadi other without sending the user password 

3. C to S: EKaCRt. Dc) . ""nmut^cation media and prevent intruders from 

4. S to C: EKbffVJCs J)s) deleting, inserting, modilying. or replaying the logon padc- 

ets. In addition. If the logon procedure fails at any point, the 
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sc^er release aU xeso„„« and dc5«ys the cocnejion f^^^Z^'^^:^^^^ ^"^^^^ 

without sending the response packet at AaJ po'""- ^« ^^ appUcadon 102. Tlie final response packet is 

u5« enters a wrong server name in the very first logon ^ y,,^, p^t attribute, 

paclcet, nothing is sent out from the server to prevent me ^ ^ ^ message to the command 

usa. a potential intruder, from knowing anythmg about tlie 5 ^j^^j^^^ J^^j requester 11» to request the communication 

server Note that this mutual authenticatooD technique containing InfOTiiation of the read 204 and write 208 

requires the dient machine to have a local CTU so that the ^^^^^ ^ associated resources. If die handle already 

oassword wiU not be transmitted over the network before j, ^ ^ (o the request router 10« immediately 

beins encrypted. , after the requestw 110 increments the access count of toe 

The cUent can now perform a mounting procedure to Itok to bardie. However, if the handle does not exist at toat time, the 

a netwotlt resource on the server to a virtual disk or it can ^^^^^ nO will load the appfopnate wmmumcatlon 
IdS a ««^ork resource with the foflowing format .^iaty. allocate the tokens 204, 208 and theu j^socuted 
f^l^mamerprotocoL-meformatallowslhedicnt .eso^ces. create a wmmunication «*annel condstwg J a 

logon communication protocol can J™ receivina the handle, the request router 106 saves 

mounting communicatioo protocol. ^AlsoJ^^e"* ^ a,e^d^^towe during the entire lifetime of the applica- 

disks can be mounted with diff«ent protocols to different **„'^VireaM>Snl02teri^ 

network domains. Hus method 'lUo'^^— ^ IW of the event soVat it oin 

between a cUent and network domams, between a networic i"ljr:„, ^^csscount of the handle. When the access 

domain and other network domains using multiple comma- ^f^^^^n'^^, of time, the session 

nicatioQ protocols simultaneously. «,oft«™ nf rti*- rMuesto 110 wiU dirop the coinnmnicatioD 

Rcfet^g to FIGS. 1 and 2 f^Zl^S^^t. ^ 'Sn. their associated 

interconnection between a chent and a scn/er. HG. 2 u a 25 ^^^^"^ «„^cation library. Thus, this 
more detaUed view of the system of Fiu. i. , m-thod allows resources to be aUocated upon demand and 

TO perform a file transfer openUion, an no Iw i" use. FUrthm^. the request 

SSrr^rr^lX^'^l^rSue^S ^cauonde.ri20,12.mi2.to.««use.e 

when the appUcation 102 js fi««J^ calls a local The tequest router 10<i can also perform any preparation 

If the rewuKf^islocaL Aetequestroma lW«ns al^ neocssW to transfer the application 102 request to the 

system function call to pc.fonn *e ^q-^ ?^c^ IM before reque^ the ownership of the write 

control to the appUcauon H^'^^?* ^n 208 to reduce the time it takes to access the write token 

remote, the request router 106 first ^^^^ J 'jOS In addition, the request rooter 106 remembas resources 

see if the needed c<«n»"'?''=«^<'^«}»»«"^l'^^^^ 5 to oneSic^on IM at a time. Hius, it reduces the time 

the Ust. niis communication handle \os^,^f^t needed information. With this method of 

fte read 204 «id write 208 tokens (shown « FIO-^) °^an7recd^Spackets. data am be exchanged asyn- 

thdr associated resources. If the '''^^'f," ^LTy SeTa^^and a server with minimum 

not found in the local list, the request route 106 ends a ^^"•^\7^^''toc. addition, request packets 

messageto therequester UO ovex the request dhannel 112 to for prt3cessing while the 

obtain'the handle. On« the handle is *tained>e ^^^t^^JS^ac^l^S pro^ssed.^^ 

router 106 aeates a response signal, i.e., a wtm ad*«^ dlw«s U0 122. 124. 126 or traveUng over the network, 

requests the ownership of *e write ^^J^'^^ '^^wT^ASd IM and message manager 130 are used 

response signal into the packet header, buUds apadot basrt 'T^Hrf „,tem messaces transmitted in the system. Cur- 

^e appUcation's 102 request into the write token 208, '^^^'^^^^^^^^^^ mounting tile 132 are 

LsiglTthe session write thread 206 of the commnnica- "^"^S^J^^J^T ,^?m resour^. The session 

nri^^oTdars^^SS^p^lket capacity. . ^:l;rrS2 is to Itro, ead. session between a 

the request router 106 can send multiple packets in a seri« "^^Jf^^^^i, a flowchart which illustrates the transfer 
atdrpolnt.Afterthepackrtissenttothesm^er^ cf^o^al a session after the logon pn«dure has 
romer releases the write totenforu^ ^^Swhen. resource request 302 is made^e system 

Ihe same process or a different process, ir me paciei was riTK.^ to sec if h is for a local resource 304. If so, a 
senttothe'^asuccessfuay.the ^^st rout^^^^^ « ^^SS^^^SnlTdconttx,! is returned 310 to the 
for the corresponding response packete^ "f^^ aS^on. If ft b not a local resource, the system creates a 
«use multiple response packets rrtunied from 'J^"^' ",1 306. If the response signal 306 camiot be 

When a response packet anives, the session read thr«d f'^^j^^^tothHwUcation^ 
uses the response signal to teU the correspondmg reque^ St t~ SSS314 for theTSmmunication handle. If 
^uterthatitsresponsepackethas c^and^^v^;^^^ « J^JJi^^fb^^, „^ fo„ad 316, . communio. 
the read token. At that time, the read tofam is accessed "3^'. -u^ed 318 from the requester and then 
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in the packet header 326, a request packet is built into the 
write token 328. the write thread sends the packet, and the 
write token is released 332. If an error is detected when the 
packet is sent, the response signal is destroyed 342 and 
control Is returned 344 to the appUcatioo. If no eaors occur 5 
during packet transmissioo 344. then the system waits 336 
for the response packet, the data in the response padoet is 
transferred 338 into the application's buffer, the read token 
is released 340, the response signal is destroyed 342 and 
control is returned 344 to the application. 

FIGS. 4A-C illustrate the memory layout of the packets 
used in the preferred embodiment RG. 4A illustrates a 
packet as encrypted by security level 1. In security level 1, 
the packet header is encrypted using single DBS encoding. 
This level of security incurs the least amount of overhead 
and is preferably used in more secure environments such as is 
LANs. 

FIG. 4B illustrates a packet as encrypted by security level 

2. In security level 2, the packet header and data are 
encrypted using single DES encoding. This level of security 
incurs slightly increased overhead as compared to security 
level 1. but provides an increased level of security for less ^ 
secure environments such as wide area networks. 

FIG. 4C illustrates a packet as encrypted by security level 

3. In security level 3. the packet header and the data are 
encrypted using triple DES encoding. This level of security 
incurs the most overhead as compared to security levels 1 ^ 
and 2, but provides the highest level of security for insecure 
environments such as public telephone networks. 

To t^otect data exchanged over oommunicatioa sessions, 
the preferred embodiment provides two different encryption 
schemes available to the user at logon. The first scheme is 30 
the US Department of Defense Data Encryption Standard 
(DES) and the second scheme is the triple- DES specified in 
the ANSI X9.17 and ISO 8732 standards but with three 
different keys. In addition, the preferred emlx>diment lilies 
the Cipher Block Chaining mode specified in the PIPS PUB ^ 
81 to better protect the data. Once an encryption scheme is 
selected, data exchanged over all sessions connected to a 
network domain are encrypted regardless of the comnmni- 
cation protocols being used by the sessions. The price to paid 
f<^ the encryption is minimum anyway since the preferred 
embodiment enoypts 500,000 bytes per second when run- ^ 
ning on a Pentium 66 MHz processor. The operating system 
used can be any suitable personal computer operating sys- 
tem such a Microsoft (TM) Windows 95 (TM), IBM (TM) 
OS/2 Warp (TM), Unix, etc. If the server is a large system, 
any one of a number of suitable mainframe operating system 
software may be used. 

In addition to the atx)vc encryption schemes, the preferred 
embodiment employs a dynamic packet header technique to 
provide extra securities based on the security level selected 
by the user at logon. If a security level 2 is selected, the 50 
packet header and data are encrypted with DES and the 
packet header is changed to 24 bytes to cany the CRC 
signatures of the packet header and data for authentication. 
However, if a security level 3 is selected, the packet header 
and data are encrypted with triple-DES using duee different 53 
keys. Finally, if security level 1 is selected, the packet header 
remains at 16 bytes and no signature is verified for a better 
performance but the packet header is encrypted with DES to 
provide security against other threads. Thus, thanks to the 
dynamic packet header technique, a user can setup different 60 
types of firewalls wherever he needs theoL For instance, the 
user can connect to his office from his home using security 
level 2 and setup his office machine to connect to another 
server within his organization using a lower security level to 
gain a better performance. 63 

In order to provide better security, the prefeired embodi- 
ment allows the user to select if the data should stay in its 



encrypted form so that only authorized personnel can view 
the data. This is important for sensitive business data, 
personnel data, etc. Of course, the key to decrypt the data 
must be agreed to ahead of time or exchanged over some 
secured channels to protect the secrecy of the key. 

Of course, those skilled in the art will recognize that the 
user could also have the capaUlity of instructing the system 
that no encryption will be used. In this case, no encryption 
would refFCsent a fourth security level (security level 0). 
Security level 1-3 having been discussed in regard to FIG. 
4. 

FIGS. 5A-B illustrate the packet queue structure used in 
the prefccred embodiment FIG. 5A illustrates the TCP/IP 
and NetBIOS communicatioas structure and FIG. 5B illus- 
trates the SMODEM and SRS232 comnmnications struc- 
ture. The compressed buffer is a work buffer used to com- 
press data prior to transmission through SMODEM or 
SRS232 communication lines. A packet header is placed at 
the beginning of the read token and at the beginning of the 
write token. In the prefeired embodiment, the read and write 
tokens arc stored in shared memory. 

FIG. 6 illustrates a configuration in which multiple 
requesters 110 communicate with a single server 602. 

FIG. 7 illustrates a configuration in whidi a single 
requester 110 communicates widi multiple servers ^2. 

FIG. 8 illustrates a configuration in which a system 802 
and multiple so^rexs 804 communicate with one another. 

FIG. 9 illustrates a configuration in which multq)lc sys- 
tems 802 and multiple servers 804 communicate with one 
another via modems 124 over phone lines 906 and also over 
LANs 5K>2 and wide area networks 904. This figure illus- 
trates the ability of the system to interface with multiple 
communications protocols. 

FIG. 10 illustrates a configuration in which multiple 
requester systems 1002, imiltiple server systems 1004, and 
multiple scivci/rcquestCT systons 1006 conmiUQicate with 
one another. The configuration in tiiis figure is similar to that 
shown in FIG. 9. 

FIGS. 11 and 12 illustrate a configuration in a server 1004 
which includes communication sessions 1120 to communi- 
cate with requesters, encrypter/decrypter 1128, read threads 
1114, write threads 1116, packet queues 1110, 1112, a 
resource control manager 1102 to control user ID, access 
permission and alias and path storage 1104, 1106, 1108. Hie 
cached user ID and access permission 1124 and the cached 
alias and associated patii 1126 caches arc used to store data 
from the access permission storage 1106 and the alias and 
path storage disks 1108 for improved system performance. 

To protect resources on the network domains, an access 
control list (ACL) is used for each network domain in access 
permission storage 1106. The ACLs are managed by net- 
work administrators to define to which resources a user can 
access and what kind of accesses the user has to each 
resource. The system provides a sqdiisUcated ACL so that 
a user cannot view or access any resources other than tiiose 
assigned. The following access permissions are used by our 
ACLs: 

READ_JTLB 

WRITE JILE 

CREATE^PILE 

DELETE-PILE 

EXECtJTE_JTLE 

CHANGE_ATTRIBUTE 

ACCESS_SUBDIR 

CREAre_SUBDIR 

REMOVEJUBDIR 

For example, if the user is not permitted access to any 
subdirectories from a network resource, the user will not see 
any subdirectory at all when viewing the network resource. 
If for some reasons the user knows a particular subdireaory 
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exists under the oetwoik resource, he cannot access it In the prior art the requester is the one that translates and 

anyway. The management of network resources and user formats requests from the applications; thus, it cannot per- 

access permissions is provided with a user-friendly Graphs- form preparation ahead of time. Id addition, information 

cal User Interface application. Together with the logon accumulating in one place could increase Che search time, 

procedure, ACLs provide effective protections to the 5 The prior art requires its intrinsics modules in t>oth Che 

resources on the network domains. application and the requester which may require more 

FIG. 12 is a more detailed view of the saver 1004 of FIG. resources to be allocated and more machine instructions to 

11. A control manager 1122 within the server 1004 is be executed. Furthermore, the prior art does not have the 

responsible for communication between the server 1004 and capability to accumulate multiple request packets from a 

other applications on the server 1004 machine. Thus, the lO requester so that the server can process the next paclcct 

server 1004 can be informed if a database has been changed request while the previous response packet is traveling back 

by a resource control q>plicatxon. The server 1004 can also to Che requests on Che n^ork or being processed by 

accept a message from another application 102 to send to all communication devices in their own memory buffers, 

or selected clients over active sessions. If an electronic mail In contrast to the prior art, the preferred embodiment 

system should be needed, the server 1004 can save the 15 contains the fcxmatting and translating code in just one 

message and wait until a client is logged on to send the place, the request router 106. Our requester only encrypts 

message over the session. To support these features, the padcct headers and packet data if necessary and then calls 

control manager 1122 posts message or e-maD packets to the the transport functions to send the packets to the server. In 

incoming packet queues 1206 of the sessions 1120. When addition, requester 110 is also responsible for saving logon 

the scrvo^processing threads 1114, 1116 ofthe sessions 1120 20 and mounting inf(»mation, managing the communication 

retrieves the packets from the queue 1206. It will process the sessions, and delivering response packets received from 

packets based on the packet types defined in the packet multiple network domains to multiple request routers while 

headers. sending request packets to the multiple network domains. 

FIG. 13A-D illustrates the padcet headers used in the Requester 110 does not need to know the fOTmat of the 

logon procedure. A session key KS and an initialization 25 response data, and can deliver the response packets inmie- 

vector IV arc defined for a communication session between diately upon receiving &em. The request routers 106 can 

a client and a server 1004 when security level 1 or higher is then format or translate the response data in the applications 

desired (in security level 0, no encryption is used). timeslices while the rcquestff 110 is waiting for other 

FIG. 13E illustrates a nonnal packet such as those used incoming response packets or reading data from the oom- 
during data transfer. When an e-mail or message packet is 30 munication devices 120, 122, 124, 126. Thus, the preferred 
sent, the preferred embodimeot uses security level 2 by embodiment achieves b«ter performance than the prior art 
default to protect the messages. In security level 2, both The prior art also requires the intrinsic modules to trans- 
packet header and data are encrypted using single DES late and format the application data from a program stack 
cnoyptioD. segment to a parameter block before sending it to its 

The requester also has the capability to signal request 35 requester where the data is once again formatted or copied 

routers 106 of all applications l(h when a communication into a data communication buffer. In contrast, the request 

session is terminated abnormally v^ther the request routers routers 106 in the preferred embodiment format the appli- 

106 art sending request packets or waiting on response cation data only once and store the formatted data into the 

packets. In order to perform this feature, die response signals write token which will be used by the requester and the 

(Le., the return addresses stored in the request packets) arc 40 communication subsystem to send the request packets to the 

saved in response-signal queues by the session write thread server. When the response packets arrive, Che requester 110 

1116. Each communication session has a response-signal uses the response signals to tell the corresponding request 

queue 1206 to reduce the search time. When the response routers that their response packets have arrived. At thai time, 

packets are succcssftiUy delivered, their corresponding the request routers 106 transfer response data dirertly from 

response signals are removed from the queue by the session 45 the read tokens into the aj^llcatlon buffers. Thus, the 

read threads 1114 of the corresponding communication preferred embodiment eliminates the overhead of copying 

channels. If an application 102 terminates before its data between memory buffers. 

response packets arrive, the response packets are discarded Furthermore, the prior ait does not have the dynamic 

and die response signals are also removed from the queue packet header feature to sui^>ort packet authentication on 

after all chaining response packets have arrived. 50 demand. Neither does its server authenticate the requester to 

In addition, the read thread of the client session also prevent replaying of packets by intruders. The prior art also 

recognizes different types of packeU to determine whether It requires two different programs running on the server to wait 

should route the received packets to the iq>plication*s request for incoming data from different communication protocols, 

router or to a message manager within the requester. The The preferred embodiment only requires the server to be 

message manager of the requester is responsible for message 55 started once for multiple conomunication protocols, 

and e-mail packets sent from the connected servers. This In general, a session on the server 1004 will support 

feature is important because it allows the server to initiate multiple qsplications on the requester; thus, a server 1004 

the sending of packets while a session Is active. As an must somehow remember the resources allocated for the 

example, a hot-link can be defined so that a server can client i^)plications so that these resources can be released 

inform die connected clients if a database should be changed 60 whether the client plications terminate abnormally or the 

or a server administrator can send a message to all or communication sessions are destroyed abnormally. Our 

selected clients telling them if a server should be out of server supports this feature in each session thread. Since the 

service shortly, etc. In a more advanced application, an allocated resources are isolatedly remembered for different 

dectronio-mail server application can be written so that the requesters, the search time is minimum every time they art 

message packets arc saved on the server until a client is 63 added or removed from the memorized list. In addition, 

logged on. At that time, the server wiU send the saved security audit can be turned on and off by the network 

messages to the connected client resource manager rurming on the server over the control 
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suppLedin the auditing requ«, pack^ or «»SL^o« S^S^'^"''*^/*'''^*"^P«^f *«P''dS^= 
names ai« stored in the auditing request pactotlSe P"*"**' " enaypted with a generated 

m also be logged ba^ed on suSLsfuL Mcd^or S , ^S"' T*" " -^^fi" '"tside 

««. or bom 5 mtrudas eariy in the verification process. For intruders 
m,?«^f ^ ^PPli^ti"" Is the one which deter- l^^-J!^, " <»8«iiration. the server name may be 

^ tf « session should be started on die host compute. '^u^ " Part of the logon pL^ 

The application then mates a function call to connwTto fte 'S?'^ ^ «"dom number and ftc ORG 

"«"«°««««hosts«re^ values. These are the heart of the vS^ sS« Fls 
process. In the prefaied embodiment, the session manage "> "«=W«' «>e key gcnaated from theuser ffi MdA. 
SheS toS". ^fT^," ^ ' '""^ passwonl This sAeme allows Ac s^Tto^eS 
tehed to couple the dicnt computer to the server computet immdrnglogon right on the voy first paclcet The 
Once die cx.m«ct.on is established, die saver automZally P^^s that f oUowin^the loS ifS 
ZT^, P«*«s^8 thread to Pk>ccss the diem ^-played packets. 6 wewgoo packet is to defeat 
request packets received over die connection. Aflff ttie « The encryption system used in th^ m,f m u ^- 

server «ceiving threaru,"!^^^^ ac^te^^,? " fsS^Sr"" » -^o- ^ 

packets in a packet queue so that thev vriJbTm^i^Si **** «>° "twoik. Thus. Ifae 

the server pJocessi^ thraid When a wsSL^^^^ occ«n at the appUcation layer which exposed Z 

requestpacketisrecivSlKsa^^r^TwrJ ^ T(^Jp'"^;^^.?^'«^ «f 

ing dneads taminatc themselves Howell ff*. i?^^** protocols but the intnideis must 

nication session is destroved ab„;^ J,r^;"r^ " °«iwi.h_diffeient keys whose lengths are either 64 cff 192 

ing diread simulates a'^discon^^re't^^TTd l^tJ^TJf °' ""f^ °" "^"^'^ ^ «<^o'^ 

appcodsittothepactotqueuetosignalttes^er^^ssS ?o™iSS^^ "^^^ ^ fe 

Jj^toterminate.nes..erre^iving*«^^^^ f ^^^us^^^T^^^^^ 

the''SL!'Se"o^^aU^fsa;=^^ " ISr^' ?tJ^^ «^ o-^^ <»at. between 

logon mentioned in the above p^B^^e»^«^J^S^« i^' ^ <Iala must 

Sinccrequestpackcts are accumulated in the oacket au«.r r^^^ ^ appUcation layer also reduces the cost of 

requests to the same host comput. ^ « ^i^Zl communication 

TT«epriorartrequiresanappHcatIonto$endafiiBrtion«ii Si k *!^k * " 

to the host compit« to e&sheTa co^S-^ SSs'^'JllKL" file transf^s. broadcast 

slon.air system establishes a coirnnunicatlonsesSvAe ^ niessages. In addition to minimum 

^c.Jn^lm^r^^J'^VllZTr:^^ " „2^*»/-««^on has been described with respect to a 

and retranslate the request pacto^ to i" cwnSo^^^T ^^^if""^' ^ understood hyftose 

before forwarding ftem T^rc^Z^i^Tr^^ * ^'^^ 1° nuy b^ made 

server when thTnetworic tcZ^T^o^l on ll ^T^"^' ^ *« 'P'^'- ««^- 

se,ver.Thatis.multiple servers can^Sn^eStSe^t « c«?rT°°\r*,""^'^' "«»yPti™ 
shown in FIGS. 7-10 to expand fte^^ofW^ ^ algorithms used to generate the 

resources available to NorZ ,2s flTr^ '^^-"J^^ -l*^" «^ 

requires the intermediate nrv^^^dmSktr^l'^/ nie-W in hardware or software, etc. Accordingly. thetoTen- 

^^I^Z^^r^'tfF^^'^'^^ ^^"'^"-'^•^^"^-•-^-Sciiedin.h-e 
« ^ Useis on request- <o I daiii: 

pXTc^oH^l^^r^-^:^^ ^.r^-^-- — ^ a netwo^ com- 

advised when using this feature since logon user IDs J « f^«"^r"^°° ""^ «>i>niunia.te with a, 

passwords must be sent along with the Itecuting^iS DaS«^Z''J. 

packets. ^ Paoot reception means to receive transmitted packet 

data from the server, 
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nieans to genOTte and iransmit a first padxt to the 
sefver, ^ least a portion of (be first packet havtag a 
first packet header containing cUent identifying 

.ilTf-Sp. at least a portion of thcdic« Men^ 
tifying infomation in the first packet header prior to 
transmission; ,. 

means to decrypt at least a portion of the dient autheo- 
tottogSLttion in asecondpacketheato andto 
detaSneif the second packet is &on» the sorver.the 
client fimhw having means to tenmnate the com- 
Scation if the sl«nd packet is from an mvahd 

to generate and transmit a third packet to ttie 
^er. at least a portion the third packet having a 
ihird packet header containing session information. 

to enaypt at least a portion of the session 
^LSi^on U the third packet header prior to trans- 
mission; and 
the serva fiirther con^xising: 

server communication means to communicate with the 

pa£t°recepdon means to receive transmitted packet 
data from the client; 

m«m^ to decrypt at least a portion of the cUent to^ 
^^g infoniatioo In the flnt packet header and to 
Sine if theflrstpacket isfrom a validdient &e 

server further having means to teimnatc the com^ 
^nication if the first packet is from an mvaW 

in^°!o genaatc and transmit a s**"* P^*^** 
dfcnt in responsetothe first packet. ^l«^apom^ 

ttie seoond>cket having the second packet heaAi 

containing client authenticating infom^on; 
means to encrypt at least a portion of Ac che« aumcn- 

ticating information in the second packet header 

nrior to transmission; and 
mSSTto dcaypt at least a portion of the session 

informadon in the fliird packet header; 
whereby, the cUent and the server each verify ttie vdidity 
SoAei by transmitting encw««ll<««"'»*y>-8^^ 
mation to one another. 
iHcurity system, as in claim 1, fi«h= compnsm^ 

means in the server to generate ""i*™"^* « ^ 
to the client in response to the third pa<^- *e 
fourth packcthavingap«*et header contaimng session 
infonnation; and , ■ «„ 

means to enaypt at least a portion of the «;«ion l^- 
^on in the fourth packet header pnor to transmls- 

sion> . , 

3. A security system, as in daim 2, whexcin: 

the dicnt has a uscrid; 
the client has a password; 
the first packet is encrypted by: 

concatenating a random number to a prt:dctcnnmed bit 
constant to form a value R; ^ , « 

a OTC signature CI is generated from the value R and 

the'l'aluS U used as a DES key to --ypt the u^ 
the server name is used to generate a key K to encrypt 

the value R; . , A.^^^n 

the key Ka is generated by a one way hash function 

from the uscrid and password^^d 
a SXm number Ra and its CRC signature C2 is 

generated, Ra and C2 are encrypted using key Ka. 



4 A security system, as in daim 3, whacin: 
the server ftffthcx comprises an encrypted cUent password 
file; 

the second padcet is encrypted by: 
a key K2 is genaated from the server nainc and a one 
way hash function to decrypt the padcet header of the 

the^uS^^decryptcd using the decrypted value R 
from the packet header; ^ . 

the decrypted userid is used to access an authonzauon 
table to determine if the first packet is vahd; 

the userid is used to cxlrad a one way has^^^iP^f 
Kb from the encrypted cHent passwoid fik. me 
password Kb is then used to decrypt values Ra, CI 

and C2; . . , 

the value Ra is manipulated via a lacdetcnmned for- 
mula to moducc a random number R'a; 
a random n\imber Rb is generated ^^'S'f'^t 
R'a and Rb are encrypted with password Kb, iiiscrted 
into Ihe packet header of the second packet and 
transmitted to the client 
5, A bidirectional security system for a network, compns- 
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at least one dienU the dient further comprising: 
means to encrypt a first logon packet; 

5 to transmit the first logon padcet to the server; 
means to decrypt the second logon packet; 

information; 

a server, fiuther comprising: 

means to decrypt *e first logon packet; ,. , 

^ to en<^?pt a second logon packe* wrth client 
authenticating information; 

n^aastolransmitlhe second logon packet to toe cUent. 

means W decrypt ttic ttird logon padcct; and 
a communication channel capable transmitting packets 

between the dient madiine and the server; 
whereby the cLent and server can establish 

Sations by W^ectionally transimtting encrypted 

6 A^Uurity system, as in daim 5, Mrther comprising: 
me«is to encrypt padcet data in le«t two ««n«y»^ 

the fint security levd having a first packrt 
scheme and the second security level havmg a second 
packet encryption scheme; 
whereby the security system can sdectably en^ packet 
data with at least two packet encryption sdi^aes. 

7 A security system, as in daim 6, further comprising: 

means to encrypt packet data at least three security Icvds. 
^tWiSiSrlevd having a third padat encryption 

scheme; . 
whereby the security systemcan sdectably eneypt packet 
data with at least three packet encryption schejnes 

8 A»ecuritysystem,asindaim7.whereintheflrsipadcet 

encrvDtion scheme is a single DES encryption. 
TKS system, as in daim », wherein the second 
paietenoypdon Is • triple DBS eoaypUon. 

10 A sccMrity system, as in claim 9, wherein: 
flie first padcet encryption sdieme encrypts the packet 

header information; and 
the second padat encryption sdieme encrypts the padKt 

header information; 
the third padcrt encryption scheme is a ttiplc DBS 
cncryptionrand further encrypts the packet header and 
the packet data. 
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11. A security system, as in claim 10, whexcio: 

the server further comprises means to encrypt a fourth 
logon packet with session information; and 

the client further comprises means to dcaypt the fourth 
logon packet. 

12. A security system, as in claim 9, wherein: 

the client further con^aises means to encrypt data pack- 
ets; and 

tiic server fiirtijer comprises means to encrypt data pack- 
ets; ^ 

data packets arc sclectably encrypted using at least one of 

the security levels; and 
means to dynamically adjust the size of the packet header 

based on the selected encryption scheme. 

13. A security system, as in claim 5, wheitin: 

each client includes at least one application f^ogram; and 
the server further comprises at least one packet queue fcr 
each client; 

whereby application performance is improved by reduc- 
ing packet search time. 

14. A method of securely transmitting packet data 
between a client and a server with encrypted pack^ 
including the steps of; 

using at least one communication channel to transmit 
packets between at least one client machine and at least 
one server, 

encrypting in tfie client a first logon packet; 
transmitting the first logon packet to the server; 
decrypting the first logon packet in the server; 
encrypting a second logon packet in the server with client 

authenticating information; 
transmitting the second logon packet to the client; 
decrypting the second logon packet in the dient; 
encrypting in the client a tfiird logon packet with session 

information; 
decrypting the third logon packet in the server; 
whereby the client and server can establish secure com- 

m^cations by bi-directionally transmitting encrypted 
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15. A method, as in claim 14, including the further steps 

encrypting a fourth logon packet in the server with session 
information; 

transmitting the fourth logon packet to the dient; and 
decrypting the fourth logon packet in the client; 
using the session Infonnation to control encryption of 
packets while oomnuinicating between the dient and 
I the server. 

16. A method, as in claim 15, including the further step of 
usmg at least two selectable encryption schemes, induding 
a first encryption scheme for a first security level and a 
second enayption scheme for a second security level 

17. A method, as in claim 16, Induding the further steps 
of: ^ 

using at least two communication channels to communi- 
cate between mult^le client and server, at least a first 
communication channel having a first levd of security 
and at least a second communication channd having a 
second level of security; and 

selecting the first encryption scheme for the first commu- 
nication channd and the second encryption sdieme for 
the second communication channel. 

18. A method, as in claim 17, including the further step of 
using single DES encryption fw the first levd of security 
and triple DES enoryption for the second levd of security. 

19. A m^od, as in claim 18, induding the further steps 

using packets which contain a header portion and a data 
portion; and 

using a third encryption scheme in which tr^le DES 
encryption is used for the packet header and the packet 
data. 

20. A mctiiod, as in claim 19, including the further steps 
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sdecting the enayption scheme based on the nature of the 

data in the packet; and 
dynamically adjusting the size of the packet header based 

on the sdected encryption scheme. 
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